oh-bee Posted July 17, 2020 Share Posted July 17, 2020 I also want to say thx to @maciekish and I also agree to the opinion of @Indmenity83 : "sticking with this after the responses he got". I read the post from the beginning to the end and every single follow up of all these "I know your requirements better than you"-guys, I thought: wtf ... 1 Quote Link to comment
groot-stuff Posted September 13, 2020 Share Posted September 13, 2020 Thank you @maciekish and @Indmenity83 for pursuing the resolution of the problem presented in the OP. I too have experienced unhelpful and out of scope "resolutions" in the past. The key to this thread is that regardless of the security of the application in question, the question is not how to "be more secure" or "work around the problem"... it is about solving the problem presented. I too use a reverse proxy to access my unRaid gui... which is completely restricted to internal machines or those connected to my VPN. There is no security risk to my unRaid gui, being behind a reverse proxy that only works... on the internal network, the same as the local IP of the gui. Again, really appreciate the nginx response from @Indmenity83, thanks to you both! 1 Quote Link to comment
groot-stuff Posted September 13, 2020 Share Posted September 13, 2020 (edited) Despite the thanks... gzip off; doesn't work for me @Indmenity83, or I am not entering it in the right .conf file. I have tried in my nginx x.subdomain.conf file (below) as well as the main nginx.conf file (changing from on to off) and the site-confs>default file. Where are you entering this? server { listen 443 ssl; listen [::]:443 ssl; server_name myunRaidSubdomain.*; include /config/nginx/ssl.conf; client_max_body_size 0; gzip off; location / { include /config/nginx/proxy.conf; proxy_pass https://[unRaidIP]; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; } } Edited September 13, 2020 by SidereusAquila Quote Link to comment
szwhy Posted November 15, 2020 Share Posted November 15, 2020 (edited) On 9/14/2020 at 4:46 AM, groot-stuff said: Despite the thanks... gzip off; doesn't work for me @Indmenity83, or I am not entering it in the right .conf file. I have tried in my nginx x.subdomain.conf file (below) as well as the main nginx.conf file (changing from on to off) and the site-confs>default file. Where are you entering this? server { listen 443 ssl; listen [::]:443 ssl; server_name myunRaidSubdomain.*; include /config/nginx/ssl.conf; client_max_body_size 0; gzip off; location / { include /config/nginx/proxy.conf; proxy_pass https://[unRaidIP]; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; } } @groot-stuff proxy_buffering off; should solve the problem. Edited November 15, 2020 by szwhy Quote Link to comment
LukePOLO Posted July 6, 2021 Share Posted July 6, 2021 I am using the nginx reverse proxy and tried adding the advanced config ``` proxy_buffering off; proxy_buffer_size 16k; proxy_busy_buffers_size 24k; proxy_buffers 64 4k; proxy_request_buffering off; client_max_body_size 0; gzip off; ``` No go for me /.cry Quote Link to comment
groot-stuff Posted July 6, 2021 Share Posted July 6, 2021 1 hour ago, LukePOLO said: I am using the nginx reverse proxy and tried adding the advanced config ``` proxy_buffering off; proxy_buffer_size 16k; proxy_busy_buffers_size 24k; proxy_buffers 64 4k; proxy_request_buffering off; client_max_body_size 0; gzip off; ``` No go for me /.cry This is what I've got configured and the progress UI updates, but at a much slower rate than without using the reverse proxy (maybe every 15-30 secs), so often times the entire docker update is completed by the time it updates. When installing/updating larger dockers (like Android Studio) I can see the progress updates come through mid-process. server { listen 443 ssl; listen [::]:443 ssl; server_name unRaidSubdomain.*; include /config/nginx/ssl.conf; client_max_body_size 0; # https://forums.unraid.net/topic/73158-progress-ui-not-working-through-reverse-proxy/page/2/ gzip off; proxy_buffering off; # enable for ldap auth, fill in ldap details in ldap.conf #include /config/nginx/ldap.conf; # enable for Authelia #include /config/nginx/authelia-server.conf; location / { # enable the next two lines for http auth #auth_basic "Restricted"; #auth_basic_user_file /config/nginx/.htpasswd; # enable the next two lines for ldap auth #auth_request /auth; #error_page 401 =200 /ldaplogin; # enable for Authelia #include /config/nginx/authelia-location.conf; include /config/nginx/proxy.conf; proxy_pass https://[unRaidIP]; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; } } Its been a while, but I think these are all of the additions I made when I was messing with it... In the server block: gzip off; proxy_buffering off; In the location block (my webui is set for HTTPS only): proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; Quote Link to comment
D16R Posted August 21, 2021 Share Posted August 21, 2021 Thank you for the information. I really appreciate finding out the actual problem. I am currently running latest NGINX Proxy Manager. The following configuration appears to be working well for me: Cache assets: false, Block common exploits: false, Websockets support: true Force SSL: true, HTTP/2 Support: true, HSTS Enabled: true, HSTS subdomains: true Custom Nginx Configuration: `gzip off;` Thank you, everyone. 2 1 Quote Link to comment
Renegade605 Posted October 1, 2021 Share Posted October 1, 2021 On 8/21/2021 at 2:12 PM, D16R said: Thank you for the information. I really appreciate finding out the actual problem. I am currently running latest NGINX Proxy Manager. The following configuration appears to be working well for me: Cache assets: false, Block common exploits: false, Websockets support: true Force SSL: true, HTTP/2 Support: true, HSTS Enabled: true, HSTS subdomains: true Custom Nginx Configuration: `gzip off;` Thank you, everyone. Came here to add that I am also using NPM, with different config options that work fine. "gzip off;" in the advanced tab seems to be the only setting that matters, as I have different SSL settings and cache assets and block common exploits on. I also tried using "location /plugins { gzip off; }" kind of in line with OP's solution for Caddy, but this caused the entire docker page to get stuck with the Unraid loading icon forever. I can't find anything online to indicate that disabling gzip for the entire Unraid proxy has any downsides, so I'm going to leave it that way. Also, a hearty second to all the thanks to the folks who stuck with this and solved the problem. I would have knocked off and ended this discussion long before OP did. These "you're doing it bad and you should feel bad" responses were on an entirely different level than friendly advice, which unfortunately happens quite often in these forums. Did I mention I never let any of my disks spin down? Oops, here comes a flame war on a 3 year old thread! 🤐 2 Quote Link to comment
enz1ey Posted October 20, 2023 Share Posted October 20, 2023 On 8/21/2021 at 4:12 PM, D16R said: Thank you for the information. I really appreciate finding out the actual problem. I am currently running latest NGINX Proxy Manager. The following configuration appears to be working well for me: Cache assets: false, Block common exploits: false, Websockets support: true Force SSL: true, HTTP/2 Support: true, HSTS Enabled: true, HSTS subdomains: true Custom Nginx Configuration: `gzip off;` Thank you, everyone. Another necro-thanks here for this information specifically for NPM. I was going in circles with this, and luckily there were some persistent folks in this thread who offered actual solutions. For the record, using a reverse proxy doesn't always mean you're exposing those hosts to the internet. I use Nginx Proxy Manager so, like @Indmenity83 said, I don't have to remember a bunch of port numbers, getting granular with my password manager, and most of all, so my browsers stop bugging me about using an insecure protocol. I use a wildcard certificate with DNS challenge, so my internal services are still secured with SSL but never exposed to the internet. My mother always said not to assume things, because... Well you know. Quote Link to comment
maciekish Posted October 20, 2023 Author Share Posted October 20, 2023 (edited) On 7/31/2018 at 7:15 PM, JonathanM said: Correct, if a reverse proxy is done right and maintained correctly, it's just as secure as a VPN. To do it right is more work than just setting up the VPN, and has more chances of going wrong. Really? Generate a CA cert and add this to Caddy. Done. (defaults) { @exclude-paths { not path /plugins/* not path */plugins/* not path /logging.htm } encode @exclude-paths { gzip 7 zstd } log { output file /var/log/caddy/access.log { roll_size 20MiB roll_keep 5 roll_keep_for 720h } } } (client-auth) { tls { client_auth { mode require_and_verify trusted_ca_cert_file /mnt/user/appdata/caddy2/ca.crt } } } domain.name { import defaults import client-auth reverse_proxy * http://10.0.1.0 } VPNs require explicit connecting, and even stateless protocols like Wireguard have issues when you roam between unstable connections. Suddenly it just doesn't work when it still shows connected. With Caddy and split DNS i can just type in the same URL on any of my devices from anywhere in the world and access anything on my home network. Been running this exact config for over 5 years with zero issues. Can't say the same about VPNs. Edited October 20, 2023 by maciekish Quote Link to comment
JonathanM Posted October 20, 2023 Share Posted October 20, 2023 16 minutes ago, maciekish said: Really? Yes really. Just because you are capable of setting up a secure reverse proxy doesn't mean it's easy for someone else. The good thing about a VPN is there is very little chance of exposing something by accident. Fail safe vs. fail open. Quote Link to comment
maciekish Posted October 20, 2023 Author Share Posted October 20, 2023 13 minutes ago, JonathanM said: Yes really. Just because you are capable of setting up a secure reverse proxy doesn't mean it's easy for someone else. The good thing about a VPN is there is very little chance of exposing something by accident. Fail safe vs. fail open. Very little chance of exposing something by accident? Last time i checked, a VPN exposes the entire network. Unless you configure it for specific hosts only. Which also requires configuration and knowledge, just like a reverse proxy. A reverse proxy on the other hand, only exposes a single http service. Both don't let any traffic through to the target service until you authenticate with a client certificate. Quote Link to comment
JonathanM Posted October 20, 2023 Share Posted October 20, 2023 2 minutes ago, maciekish said: Very little chance of exposing something by accident? Last time i checked, a VPN exposes the entire network Not if you follow the wireguard tutorials specifically for the Unraid service. https://docs.unraid.net/unraid-os/manual/security/vpn/ Quote Link to comment
bfenty Posted January 11 Share Posted January 11 On 7/6/2021 at 2:53 PM, groot-stuff said: This is what I've got configured and the progress UI updates, but at a much slower rate than without using the reverse proxy (maybe every 15-30 secs), so often times the entire docker update is completed by the time it updates. When installing/updating larger dockers (like Android Studio) I can see the progress updates come through mid-process. server { listen 443 ssl; listen [::]:443 ssl; server_name unRaidSubdomain.*; include /config/nginx/ssl.conf; client_max_body_size 0; # https://forums.unraid.net/topic/73158-progress-ui-not-working-through-reverse-proxy/page/2/ gzip off; proxy_buffering off; # enable for ldap auth, fill in ldap details in ldap.conf #include /config/nginx/ldap.conf; # enable for Authelia #include /config/nginx/authelia-server.conf; location / { # enable the next two lines for http auth #auth_basic "Restricted"; #auth_basic_user_file /config/nginx/.htpasswd; # enable the next two lines for ldap auth #auth_request /auth; #error_page 401 =200 /ldaplogin; # enable for Authelia #include /config/nginx/authelia-location.conf; include /config/nginx/proxy.conf; proxy_pass https://[unRaidIP]; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; } } Its been a while, but I think these are all of the additions I made when I was messing with it... In the server block: gzip off; proxy_buffering off; In the location block (my webui is set for HTTPS only): proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; Any idea where all of this goes in nginx reverse proxy manager? I like the manager gui because it makes life easier, but when it comes to advance configs it can be a pain... Quote Link to comment
bfenty Posted January 11 Share Posted January 11 On 10/20/2023 at 8:06 AM, JonathanM said: Yes really. Just because you are capable of setting up a secure reverse proxy doesn't mean it's easy for someone else. The good thing about a VPN is there is very little chance of exposing something by accident. Fail safe vs. fail open. OMG man let it go. Your posts are at the point of being unhelpful. We know there are guides out there for VPNs. That's a good solution for some people. Reverse proxies are also a good solution for some people. Yes, it takes correct setup as does anything. A warning about that is warranted, but you're well past that. A properly secured 2-factor authentication gateway (such as Authelia) along with HTTPS certs should be more than enough to secure the reverse proxy. No, not everyone will do that, but that's not your responsibility (and if you're reading this, PLEASE setup your reverse proxy with this kind of security, or consider not doing it at all). Off the top of my head, a couple valid use-cases: Local network only, to avoid having to remember all the ports and IPs for all your applications Remote access where a VPN isn't viable, for instance on a work PC without admin access In the future, please consider just answering the question, or don't respond. Thank you. Quote Link to comment
JonathanM Posted January 11 Share Posted January 11 25 minutes ago, bfenty said: don't respond Noted. You are on my don't respond list. Quote Link to comment
groot-stuff Posted January 11 Share Posted January 11 39 minutes ago, bfenty said: Any idea where all of this goes in nginx reverse proxy manager? I like the manager gui because it makes life easier, but when it comes to advance configs it can be a pain... That is the entirety of the abc.subdomain.conf file for my unraid subdomain located in /mnt/user/appdata/swag/nginx/proxy-confs/ You may have a slightly different path to the proxy-confs folder though, depending on your setup. Quote Link to comment
bfenty Posted January 12 Share Posted January 12 9 hours ago, groot-stuff said: That is the entirety of the abc.subdomain.conf file for my unraid subdomain located in /mnt/user/appdata/swag/nginx/proxy-confs/ You may have a slightly different path to the proxy-confs folder though, depending on your setup. nginx manager is a gui for nginx. It obfuscates a lot of the manual work, which is great 99% of the time. you just select url/ip/port and hit save. Only problem is if you need custom locations, it would be easier to just do it in a .conf file. I'll see if I can figure it out on my own for this one though. Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.